Security

Filter "root" logins for Failed and Success outputs in succession

dsmeerkat
Explorer

Hello my Splunk Ninjas,

Ihave a tough one I am trying to figure out. I have a report that gives me:

index=blah sourcetype=unix action=failure
| lookup approved_server_ips ip as src OUTPUT filter
| search filter=0
| eval Local_1=split(upper(user),"\")

| eval Local_Account_Name=if(isnull(mvindex(Local_1,1)),user,mvindex(Local_1,1))
| rename src as Source_Device_IP, Local_Account_Name as Failed_Account_Name
| stats count by index,Failed_Account_Name,Source_Device_IP,host
| where count>4
| sort by -count
| head $Local_alert_count$

This search runs fine however, I have instances where I will get a failed "root" login immediately followed by a successful login on the same system....

14:30:00 - 192.555.1.1 root Failed
14:30:02 - 192.555.1.1 root Success

I need to be able to eval theses and if I see a system (Source_Device_IP) with a "Failed" attempt immediately followed by a Success, do not report this system, perhaps something along these lines?

| eval alert = if(match(list, "(?:failure\s?){1,}(?:success)"), "True", "False")

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi dsmeerkat,
I should try to extract a filed with result of login, the add this field to starts and then use this field to filter, something like this:

index=blah sourcetype=unix action=failure 
| lookup approved_server_ips ip as src OUTPUT filter 
| search filter=0 
| eval Local_1=split(upper(user),"\\") 
| eval Local_Account_Name=if(isnull(mvindex(Local_1,1)),user,mvindex(Local_1,1)) 
| rename src as Source_Device_IP, Local_Account_Name as Failed_Account_Name 
| rex "(?<Result>Failed|Success)"
| stats values(Result) AS Result count by index,Failed_Account_Name,Source_Device_IP,host 
| where count>4 
| sort by -count 
| search Result=Failed Result=Success
| head $Local_alert_count$

(verify regex).
Bye.
Giuseppe

0 Karma

dsmeerkat
Explorer

Or better yet an eval against epochtime may be better

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...